Time and again, I've read that certain data breach lawsuits were tossed from court because they had no "standing." If a case has no standing, the courts dismiss it without the case going through trial. I bring this up because this is the second time I've read that perhaps there is something to "future harm."

What is future harm? It's the argument that's made by people suing companies embroiled in a data breach. Plaintiffs are concerned that the loss of personal information could result in some kind of harm at some point in the future. The loss of SSNs to hackers, for example, is a future harm because they could sell it to someone who uses one of the SSNs to get a mortgage loan.

The courts generally tend to side with the defendants because plaintiffs don't have a leg to stand on.

(Why am I covering this, despite the fact that I'm not a lawyer? Because (1) it's interesting and (2) encryption and the law are something of an odd couple).

Standing Requirements

Injury: The plaintiff must have suffered or imminently will suffer injury—an invasion of a legally protected interest that is concrete and particularized. The injury must be actual or imminent, distinct and palpable, not abstract. This injury could be economic as well as non-economic.

Causation: There must be a causal connection between the injury and the conduct complained of, so that the injury is fairly traceable to the challenged action of the defendant and not the result of the independent action of some third party who is not before the court.

Redressability: It must be likely, as opposed to merely speculative, that a favorable court decision will redress the injury.

As I understand it, if a case fails to satisfy at least one of the requirements, it gets dismissed. The problem with "future harm" cases is that they run counter to the first requirement. The loss of personal information is generally not an actual or imminent harm, and "what if...?" scenarios -- such as, what if the hacker packages the SSN with my first and last name, and also my driver's license number from a separate hack? -- are quite abstract.

No wonder courts have been summarily dismissing cases.

Future Harm is Not Harm? Not So Fast, Says California

Well, it turns out that there may be something of substance to future harm after all:

In In re: Sony Gaming Networks, the plaintiffs filed suit after a security breach compromised the plaintiffs' personal data stored through the Playstation network.... As a constitutional matter, the court determined that threat of future harm is a "cognizable loss sufficient to satisfy Article III standing." [forbes.com]

...the court determined that the plaintiffs' claims could not stand under state common law, as California negligence law requires "appreciable, nonspeculative, present harm" as "an essential element of negligence." Thus, the plaintiffs' fear of future identity theft or fraud was not sufficient to provide standing. [forbes.com]

Perhaps the law is lagging. Or, perhaps the plaintiffs made the wrong approach. Regardless, the courts' views that potential harm coming from data breaches could (or do) have a standing is quite novel.

On the other hand, I'm not lawyer. Everything law-related that doesn't get covered in police crime drama on TV is pretty novel to me.

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading
provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing
support of the AlertBoot disk encryption managed service.
Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts
University in Medford, Massachusetts, U.S.A.